How to Protect Your Business From Ransomware Attacks

cyber attackmalwareransomwaredata breachcomplianceGDPR policiesIT security
Written By Charlotte Gerrish

It is reported that 10% of data breaches where data is stolen now involve ransomware. In 2022, there was an increase in ransomware breaches which is more now than in the last 5 years. In 2021, 66% of companies were affected by ransomware. It is clear from the statistics that ransomware is a business risk that many organisations need to consider when protecting themselves from data and privacy breaches. In this article, we will explain how you could be affected by ransomware and how to use methods to prevent future attacks. 

What Is Ransomware?

Ransomware is a kind of malware or malicious software that is designed to encrypt a victim's files, systems, or networks rendering them inaccessible. The ransomware attacker then demands payment for the decryption key for unlocking the files. They may also threaten to release sensitive data if the victim organisation does not pay the ransom. Ransomware can be unknowingly downloaded onto a computer or system usually by opening a harmful email attachment or clicking a link that has malware embedded in it. 

If a ransomware attack results in the unauthorised alteration, destruction, or disclosure of personal data, it may be considered a data protection breach under the General Data Protection Regulation (GDPR), which can result in significant fines and reputational damage if not dealt with correctly.

In 2021, the US Colonial Pipeline shut down for several days following a $4.4 million ransomware attack. Also, in January 2023, The Guardian newspaper confirmed that it had a ransomware attack that disrupted some of its services. The full details of the attack are unknown, but, it is said that the attackers gained access to the newspaper's systems through a compromised account.  

“In the UK, law enforcement advises against agreeing to ransom payment demands because it doesn’t mean that you will get access to the data you have lost and your networks or systems will still be infected with malware. This means you will likely be targeted in future attacks. It is best to take preventative measures and ensure your organisation has a clear response plan should an attack occur.”

  • Charlotte Gerrish of Gerrish Legal

Ransomware and Data Protection

Often companies overlook ransomware attacks when they try to adhere to GDPR standards.  The Information Commissioner's Office (ICO) recognises that ransomware is one of the biggest cyber incidents that affect personal data, resulting in losing access to personal data and permanent data loss in the worst-case scenario. The personal data that is stolen can be further targeted by criminals. As the data processor, if you experience a personal data breach due to a ransomware attack, under Article 33(2) GDPR, you must inform the ICO of the breach without undue delay.

How to Prevent Ransomware Attacks

Here are some key measures that you can implement to protect your business from ransomware: 

Implement Secure Password Policies

Ransomware attackers steal login credentials, such as usernames and passwords, to access company systems. A secure company password policy should require employees to create complex passwords that are changed regularly to prevent attackers from gaining long-term access to company systems. Employees should also be discouraged from reusing passwords or using the same password for multiple accounts. It may also be a good idea to change passwords when an employee leaves the organisation to minimise the risk of sensitive information being known by external people. 

You could also implement multi-factor authentication so that employees have to provide a second form of authentication, such as a code sent to their phone or a fingerprint scan, in addition to their username and password when logging into company systems. These prevent unauthorized access even if an attacker steals login credentials.

Regularly Back up Data

Regularly backing up data and making sure that the backups have successfully been completed is a crucial prevention method. Create and store regular data backups on an external device, such as an external hard drive or a cloud-based storage system. You should still have access to a recent copy of your data even if a ransomware attack occurs and your data is encrypted.

Educate Your Employees on Phishing Attacks

Phishing involves sending fraudulent emails, text messages, or other forms of communication to trick individuals into divulging sensitive information like usernames, passwords, or financial data.

Phishing attacks are a common entry point for ransomware attackers to trick employees into downloading malware or clicking on malicious links. You could create an internal policy document that details the types of attacks your company may be exposed to and what action employees should take if they receive a suspicious email for instance, such as reporting it to a senior staff member. Educating your employees on phishing attacks reduces the risk of a successful ransomware attack. 

Keep Systems up to Date With Security Patches

In the case of the Guardian ransomware attack, the attackers reportedly gained access through a zero-day vulnerability in a popular software product.

A zero-day vulnerability is a software vulnerability unknown to the vendor and has no available patches or fixes. The attackers exploited these vulnerabilities to access the company's systems.

Therefore, staying current with software updates and security patches is very important. Employees should also update their devices, such as laptops and smartphones, with security patches, as they can be a potential entry point for attackers.

Have Effective Incident Response Plans

Despite your best efforts to prevent a ransomware attack, it's vital to have a plan in place.

An effective incident response plan should outline the steps to contain the attack and prevent it from spreading, as well as the steps to recover your data and restore your systems.

The Guardian's response to the attack included shutting down some of its services during its investigation. Your response plan can include the key contacts in case of an attack, escalation criteria, or a flow chart that covers what should be done at each stage and when to involve legal support. 

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Charlotte Gerrish
Previous

What is a Confidentiality Agreement and when do I need one? 
Next

How You Can Use AI to Automate Contract Drafting